24797203 OpenStack RBAC profiles allow reading too many files
24797238 keystone RBAC and SMF should point at Apache log files
24797256 cinder RBAC and SMF should point at Apache log files
24830959 horizon RBAC and SMF should point at Apache log files
<?xml version="1.0" ?>
<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
<!--
Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
NOTE: This service manifest is not editable; its contents will
be overwritten by package or patch operations, including
operating system upgrade. Make customizations in a different
file.
-->
<service_bundle type="manifest" name="keystone">
<service version="1" type="service"
name="application/openstack/keystone">
<dependency name='multiuser' grouping='require_all' restart_on='error'
type='service'>
<service_fmri value='svc:/milestone/multi-user:default' />
</dependency>
<dependency name='upgrade' grouping='require_all' restart_on='none'
type='service'>
<service_fmri
value='svc:/application/openstack/keystone/keystone-upgrade' />
</dependency>
<dependency name='ntp' grouping='optional_all' restart_on='none'
type='service'>
<service_fmri value='svc:/network/ntp'/>
</dependency>
<dependency name='mysql' grouping='optional_all' restart_on='none'
type='service'>
<service_fmri value='svc:/application/database/mysql'/>
</dependency>
<dependency name='rabbitmq' grouping='optional_all' restart_on='none'
type='service'>
<service_fmri value='svc:/application/rabbitmq'/>
</dependency>
<logfile_attributes permissions='600'/>
<exec_method timeout_seconds="60" type="method" name="start"
exec="/lib/svc/method/keystone %m">
<method_context>
<method_credential user='keystone' group='keystone'
privileges='basic,{zone}:/system/volatile/keystone_wsgi_*'/>
</method_context>
</exec_method>
<exec_method timeout_seconds="60" type="method" name="stop"
exec="/lib/svc/method/keystone %m">
<method_context>
<method_credential user='keystone' group='keystone'/>
</method_context>
</exec_method>
<exec_method timeout_seconds="60" type="method" name="restart"
exec="/lib/svc/method/keystone %m">
<method_context>
<method_credential user='keystone' group='keystone' />
</method_context>
</exec_method>
<property_group type="framework" name="startd">
<propval type="astring" name="ignore_error" value="core,signal"/>
</property_group>
<instance name='default' enabled='false'>
<!-- to start/stop/refresh the service -->
<property_group name='general' type='framework'>
<propval name='action_authorization' type='astring'
value='solaris.smf.manage.keystone' />
<propval name='value_authorization' type='astring'
value='solaris.smf.value.keystone' />
</property_group>
<property_group name='keystone_stencil' type='configfile'>
<propval name='path' type='astring'
value='/var/lib/keystone/keystone.httpd.conf'/>
<propval name='stencil' type='astring' value='keystone.stencil'/>
<propval name='mode' type='astring' value='0444'/>
<propval name='owner' type='astring' value='keystone'/>
<propval name='group' type='astring' value='keystone'/>
</property_group>
<property_group name='config' type='application'>
<propval name='admin_port' type='count' value='35357'/>
<propval name='access_log' type='astring'
value='/var/log/keystone/keystone_access.log'/>
<propval name='error_log' type='astring'
value='/var/log/keystone/keystone_error.log'/>
<propval name='public_port' type='count' value='5000'/>
<propval name='servername' type='astring' value='127.0.0.1'/>
<propval name='use_tls' type='boolean' value='false'/>
</property_group>
</instance>
<template>
<common_name>
<loctext xml:lang="C">
OpenStack Keystone Identity Service
</loctext>
</common_name>
<description>
<loctext xml:lang="C">
keystone starts both the service and administrative APIs in a single
process to provide catalog, authorization, and authentication
services for OpenStack.
</loctext>
</description>
<documentation>
<external_logfile
path='/var/log/keystone/keystone_access.log'/>
<external_logfile
path='/var/log/keystone/keystone_error.log'/>
</documentation>
<pg_pattern required='true' type='application' name='config'>
<prop_pattern required='true' type='count' name='admin_port'>
<description>
<loctext xml:lang='C'>
The port for admin requests. Default value is 35357.
</loctext>
</description>
</prop_pattern>
<prop_pattern required='true' type='astring' name='access_log'>
<description>
<loctext xml:lang='C'>
The absolute path for the Apache access log file. Defaults to
/var/log/keystone/keystone_access.log
</loctext>
</description>
</prop_pattern>
<prop_pattern required='true' type='astring' name='error_log'>
<description>
<loctext xml:lang='C'>
The absolute path for the Apache error log file. Defaults to
/var/log/keystone/keystone_error.log
</loctext>
</description>
</prop_pattern>
<prop_pattern required='true' type='count' name='public_port'>
<description>
<loctext xml:lang='C'>
The port for public requests. Default value is 5000.
</loctext>
</description>
</prop_pattern>
<prop_pattern required='true' type='astring' name='servername'>
<description>
<loctext xml:lang='C'>
The Apache ServerName Directive. Hostname and port that the
server uses to identify itself.
</loctext>
</description>
</prop_pattern>
<prop_pattern required='false' type='astring' name='ssl_cert_file'>
<description>
<loctext xml:lang='C'>
Server PEM-encoded X.509 Certificate file.
</loctext>
</description>
</prop_pattern>
<prop_pattern required='false' type='astring' name='ssl_ca_cert_file'>
<description>
<loctext xml:lang='C'>
File of concatenated PEM-encoded CA Certificates for Client Auth.
</loctext>
</description>
</prop_pattern>
<prop_pattern required='false' type='astring' name='ssl_cert_key_file'>
<description>
<loctext xml:lang='C'>
Server PEM-encoded Private Key file.
</loctext>
</description>
</prop_pattern>
<prop_pattern required='true' type='boolean' name='use_tls'>
<description>
<loctext xml:lang='C'>
Boolean property to indicate usage of TLS. Defaults to 'false'.
</loctext>
</description>
</prop_pattern>
</pg_pattern>
</template>
</service>
<service version="1" type="service"
name="application/openstack/keystone/keystone-token-flush">
<logfile_attributes permissions='600'/>
<!-- to start/stop/refresh the service -->
<property_group name='general' type='framework'>
<propval name='action_authorization' type='astring'
value='solaris.smf.manage.keystone' />
<propval name='value_authorization' type='astring'
value='solaris.smf.value.keystone' />
</property_group>
<instance name='default' enabled='false'>
<dependency name='keystone' grouping='require_all' restart_on='none'
type='service'>
<service_fmri value='svc:/application/openstack/keystone:default' />
</dependency>
<scheduled_method interval='hour'
exec='/usr/bin/keystone-manage token_flush' timeout_seconds = '0' >
<method_context>
<method_credential user='keystone' group='keystone' />
</method_context>
</scheduled_method>
<template>
<common_name>
<loctext xml:lang="C">
OpenStack Keystone Token Flush Service
</loctext>
</common_name>
<description>
<loctext xml:lang="C">
The keystone database needs to flush the expired tokens on a regular
basis. As the default expiration is one hour, this will flush those
expired tokens once an hour.
</loctext>
</description>
</template>
</instance>
</service>
</service_bundle>